Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was established to improve the
healthcare system’s storage and use of patient data. As health insurance and healthcare services modernize and
digitalize, more health information is stored, transferred, and updated digitally. While this streamlines many
administrative and care delivery functions, it also poses a massive threat to health records and personal information,
which are at risk of hacking, leaks, and unauthorized alteration.
In the service of making healthcare insurance safer and more reliable for everyone, Congress recognized the need to
secure patients’ personal information and regulate its disclosure. Per this mission, the Privacy Rule and Security
Rule under HIPAA apply to all protected health information (PHI) and guide the measures needed to guard the privacy
and integrity of health data in the digital age.
To enforce these laws, HIPAA can leverage huge fines even for accidental violation. Clearly, IT departments must
understand how HIPAA applies to their work—in order to correctly handle sensitive information, demonstrate their
compliance with the law, and protect both patients and the organization.
Who is Liable for HIPAA Compliance?
Before reviewing the law itself, it’s helpful to know what organizations are responsible for implementing HIPAA
standards. Covered entities (CE) under HIPAA include healthcare providers, health plans, and healthcare
clearinghouses. Most components of HIPAA also apply to any business associate (BA) of a covered entity, meaning
any third party who handles PHI in providing a service for a CE. A BA, for example, could be an external
administrator who processes claims or a CPA firm that must access protected data to execute its accounting
services.
Failing to understand or properly implement HIPAA standards doesn’t absolve your company of the consequences.
In fact, under HIPAA, institutions can be fined up to $50,000 per offense for a “Tier 1” violation, meaning the non-
compliant organization was “unaware of the HIPAA violation and by exercising due diligence would not have known
HIPAA Rules had been violated.” The Tiers increase in proportion to the severity—and the willfulness—of the
violation. A Tier 4 offense bears a penalty of $50,000 per violation with a maximum of $1.5 million per year.
All of which is to say: if you fulfill the functions of a covered entity or a business associate, you need to know your
relationship to PHI, the regulations to which you are beholden, and the processes you must perform in a HIPAA audit.
HIPAA Requirements
To follow HIPAA, organizations essentially must make a context-appropriate effort to protect patient data, according
to the law’s guidelines. The administrative component of HIPAA specifies that organizations must be in accordance
with transaction and code sets regulations for electronic health records (EHR), have a unique National Provider
Identifier (NPI), protect patient privacy, and ensure health information security.
For the most part, these stipulations affect IT departments through the Privacy Rule and the Security Rule. The
Office of Civil Rights (OCR), an agency nestled within the U.S. Department of Health & Human Services (HHS), is
charged with enforcing these two rules through HIPAA audits, which ensure compliance through HIPAA reporting
submitted by any CE or BA organizations.
Given the wide range in health insurance and healthcare provider organizations, not every covered entity
demonstrates compliance in the same way. HIPAA § 164.306(b)(1) specifically references this “flexibility of
approach,” by which CEs or BAs “may use any security measures that allow the covered entity or business
associate to reasonably and appropriately implement the standards and implementation specifications as specified.”
This language may seem circuitous and vague, but in reality, it recognizes that most of these organizations have
different operations and therefore different security needs. Consequently, organizations may follow different security
and privacy measures, provided they have the proper documentation to prove that they have used their best
judgment to uphold HIPAA regulations.
Good Faith Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
The first Notice of Enforcement Discretion in relation to COVID-19 was announced by OCR on March 17, 2020 and
concerns the good faith provision of telehealth services. OCR is waiving potential penalties for HIPAA violations by
healthcare providers that provide virtual care to patients through everyday communications technologies during the
COVID-19 nationwide public health emergency.
This means healthcare providers are permitted to use everyday communications tools to provide telehealth services
to patients, even if those tools would not normally be considered fully HIPAA compliant.
Platforms such as FaceTime, Skype, Zoom, and Google Hangouts video can be used in the good faith provision of
telehealth services to patients without penalty for the duration of the public health emergency. However, public-
facing platforms such as TikTok and Facebook Live must not be used. Our process is subject to change at our
discretion within legal requirements.
